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Pending Claims, Amended Claims Under 37 CJ JL S 1.116(b): 

Claims 1-20, now pending, are submijtted below which presents a clean 
version of the entire set of pending claims. (Claims 3, 7, 12-19 were previously 
amended are presented in this response undef 37 C.F.R. § 1.116(b) in form for 
consideration on appeal. 



1. (Unchanged) A method for inspecjting an encrypted data stream being 
transferred over a network between two endpoitats, the data stream being encrypted 

using a session key known to both endpoints, the method comprising: 

i 

securely transferring the session key from one of the endpoints to an 
intermediary having access to the encrypted dal|a stream; 

decrypting the encrypted data stream at the intermediary using die session 
key; and 

inspecting the data stream following decrypt 

2. (Unchanged) A method as recited in claim 1, wherein securely 
transferring comprises: 

encrypting the session key using a public key associated with the 
intermediary; and 

sending the encrypted session key to the; intermediary. 

3. (Amended Once) A method as recited in claim 1, wherein securely 
transferring comprises: !: 

encrypting the session key using a;! public key associated with the 
intermediary; 
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signing the encrypted session key using a private key associated with the 
one of the endpoints; and 

sending the signed and encrypted session key to the intermediary. 

4. (Unchanged) A method as recited in claim 1, further comprising 
storing the data stream at the intermediary- 

i 
I 

5. (Unchanged) A method for inspecting an encrypted data stream being 
transferred over a network between two endjjpnts and via an intermediary, the 

li 

data stream being encrypted using a session key known to both endpoints, the 
method comprising: 

storing a public key from a public/private key pair associated with one of 
the endpoints at a key storage; . ; 

storing a public key from a public/private key pair associated with the 

•I 

intermediary at the key storage; n 

obtaining, at said one endpoint, the intermediary's public key from the key 
storage; 

encrypting, at said one endpoint, the session key using the intermediary's 
public key to produce an encrypted session keyi 

encrypting, at said one endpoint, the encrypted session key using a private 
key from the public private key pair associated with said one endpoint to produce a 
signed encrypted session key; 

passing the signed encrypted session ke^ to the intermediary; 

obtaining, at the intermediary, the one {endpoint' s public key from the key 
storage; 
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decrypting, at the intermediary, the signed encrypted session key using the 
one endpoint's public key to return the encrypted session key; 

decrypting, at the intermediary, the encrypted session key using the 
intermediary's private key to return the session key; and 

using the session key at the intermediary to decrypt the encrypted data 
stream. 

6. (Unchanged) In a network systerpL in which an encrypted data stream 

! 

is transferred over a network between two enjdpoints and via an intermediary, the 

i 
| 

data stream being encrypted using a session key known to both endpoints, 
computer-readable media at one of the endp6ints and at the intermediary storing 
computer-executable instructions for performing the method as recited in claim 5, 

7. (Amended Once) In a network siystem having an internal client that 
exchanges encrypted data with an external client over a network and through a 
firewall intermediate of the internal and external clients, the encrypted data being 
encrypted using a session key known to the internal and external clients, a method 
executed at the firewall comprising: 

receiving an encrypted and signed session key from the internal client, the 
encrypted and signed session key bearing a digital signature of the internal client; 
authenticating the digital signature as belonging to the internal client; 
decrypting the session key; and 

decrypting the encrypted data being exchanged between the internal and 
external clients using the session key. 
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1 8. (Unchanged) A method as recited in claim 7, wherein the encrypted 

2 and signed session key is encrypted using a public key from a public/private key 

3 pair associated with the firewall, and the decrypting comprises decrypting the 

4 session key using a private key from the pubic/private key pair. 

5 

6 9. ^ (Unchanged) A method as recited in claim 7, further comprising 

7 inspecting the data in an unencrypted form- 

8 

9 10. (Unchanged) A method as recited in claim 7, further comprising 

10 storing the data in an unencrypted form. 

n 

12 11. (Unchanged) In a network system having an external client that 

n exchanges encrypted data with an external client over a network and through a 

H firewall intermediate of the internal and external clients, the encrypted data being 

is encrypted using a session key known to the internal and external clients, a 

\e computer-readable medium resident at the firewall storing computer-executable 

l? instructions for performing method as recited in claim 7. 

18 

19 12. (Amended Once) A network system comprising; 

20 an internal client device and an external client device configured to 

21 communicate encrypted data over a network using virtual private network 

22 communication, the data being encrypted using a session key, 

23 an intermediary device having access to the encrypted data being 
w communicated between the internal client device and the external client device; 

25 
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the internal client device being configured to securely transfer the session 
key to the intermediary device; and 

the intermediary device being configjipd to decrypt the data using the 
session key and to inspect the data. 

13. (Amended Once) A network system as recited in claim 12, wherein 
the internal client device encrypts the session key prior to sending it to the 
intermediary device. 

i 

i 
i 

14. % (Amended Once) A network system as recited in claim 12, wherein 
the interna] client device encrypts and signs the session key prior to sending it to 
the intermediary device. 

15. (Amended Once) A network system as recited in claim 12, wherein 
the intermediary device stores the data in unencrypted form. 

16. (Amended Once) A software architecture for a network system 
having two endpoints that exchange encrypted data over a network and through an 
intermediary, the encrypted data being encrypted using a session key known to the 
endpoints, comprising: 

endpoint-resident code stored on computer readable media and executable 
on a processor to encrypt the session key using a public key from a public/private 
key pair associated with the intermediary and to sign the encrypted session key 
with a digital signature, the endpoint-residentj code being capable of sending the 
signed and encrypted session key to the intermediary; and 
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intermediary-resident code stored on computer readable media and 
executable cm the processor to authenticate the digital signature and decrypt the 
encrypted session key using a private key from the public/private key pair 
associated with the intermediary, the intermediary-resident code using the session 
key to decrypt the encrypted data as it is being exchanged between the two 
endpoints. 

! 

i 

17. (Amended Once) A software architecture as recited in claim 16, 

j 

wherein the intermediary-resident code inspects the data in unencrypted form. 

18. (Amended Once) A software architecture as recited in claim 16, 
wherein the intermediary-resident code stores the data in unencrypted form- 

19. (Amended Once) In a network system having an internal client that 
exchanges encrypted data with an external client over a network and through a 
firewall intermediate of the internal and external clients, the encrypted data being 
encrypted using a session key known to the internal and external clients, computer- 
readable media distributed at the internal client and the firewall storing computer- 
executable instructions for 

encrypting the session key at the internal client; 

signing the encrypted session key with a digital signature associated with 
the internal client; 

passing the signed and encrypted session key to the intermediary; 
authenticating, at the intermediary, thje digital signature of the internal 

client; 
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